Speech by SEC Staff:
Second Annual General Counsel Roundtable: Tone at the Top: Getting it Right

by

Stephen M. Cutler

Director, Division of Enforcement
U.S. Securities and Exchange Commission

Washington, D.C.
December 3, 2004

An awful lot of people seem to be paying an awful lot of attention to "tone at the top" these days. Articles are being written about it. Speeches (in addition to this one) are being given about it. "Tone at the top" seems to have become a panacea for what is ill in corporate America, and an explanation for much of what has gone wrong.

And I'm sure I don't have to tell you that much has gone wrong. Allow me to spend just a few minutes recapping the last couple of years from an SEC enforcement perspective - and actually, as is the case with all of my remarks today, from my own personal perspective and not the perspective of the Commission or other members of the Commission staff. In the last two fiscal years, the SEC has brought more than 1,300 civil cases and has obtained orders for disgorgement and penalties in excess of $5 billion. These numbers far exceed those of any other two-year time frame in the Commission's history. In this same period, the Department of Justice has brought criminal cases alleging securities-related misconduct by more than 500 defendants.

But it's a recitation of the names (and not the numbers) that I think best conveys a sense of the period that we've been through. In the accounting and financial reporting area, the subjects of our enforcement actions in the last two years include: Enron's Ken Lay, Jeff Skilling, and Andy Fastow and their bankers, Merrill Lynch, Citigroup, J.P. Morgan/Chase and CIBC; WorldCom, Bernie Ebbers and Scott Sullivan; HealthSouth and Richard Scrushy; Qwest; Tyco and Dennis Kozlowski; Hollinger, Conrad Black and David Radler; Adelphia and the Rigases; Lucent Technologies; Parmalat; Gateway Computer; Peregrine Systems; Ernst & Young; General Electric; Schering-Plough and Richard Kogan; Royal Dutch Shell; Halliburton; Gemstar/TV Guide, Henry Yuen and Elsie Leung; Grant Thornton; Computer Associates and Sanjay Kumar; Warnaco and Linda Wachner; Homestore; Symbol Technologies and Tomo Razmilovic; AIG; Wachovia; Vivendi and Jean-Marie Messier; Xerox, Paul Allaire, Richard Thoman, Barry Romeril and KPMG; Royal Ahold; and PriceWaterhouseCoopers.

It takes your breath away. But what does this have to do with tone at the top? One of the connections is probably obvious to everyone here: that is, in so many of the cases I've just cited, the tone at the top couldn't have been all that . . . well, pretty. Indeed, in the last two plus years, we have sued in the neighborhood of 100 public company CEOs. And if CEOs were themselves breaking the law, then they couldn't have been setting a particularly melodious tone.

But there's another, perhaps less obvious connection between what we've been doing in the enforcement arena and tone at the top - and for these purposes, I want to focus on the penalties we have sought and obtained not from the individuals we have charged, but from the institutions with which they were affiliated. Violations of the securities laws are very frequently the product of both individual failings and a deficient corporate culture. Among other things, a complex accounting fraud rarely can be accomplished by one or two rogue employees, acting on their own. It ordinarily takes, as the junior senator from New York might say, a village. And therein lies the answer - or at least an answer - to the question why we've sought penalties not just against individuals, but against companies, too: We're trying to create an environment that reduces the risk of misconduct at all levels of a company - an environment in which the people who run public companies will do more than simply keep themselves out of jail.

In short, we're trying to induce companies to address matters of tone and culture. We're trying to get the fundamentally honest, decent CEO or CFO or General Counsel - the one who wouldn't break the law - to say to herself when she wakes up in the morning: "I'm going to spend part of my day today worrying about, and doing something about, the culture of my company. I'm going to make sure that others at the company don't break the law, and don't even come close to breaking the law."

What we're asking of that CEO, CFO or General Counsel goes beyond what a perp walk or an enforcement action against another company executive might impel her to do. We're hoping that if she sees that a failure of corporate culture can result in a fine that significantly exceeds the proverbial "cost of doing business," and reflects a failure on her watch - and a failure on terms that everyone can understand: the company's bottom line - she may have a little more incentive to pay attention to the environment in which her company's employees do their jobs.

So when we impose penalties on the order of $750 million against WorldCom or $250 million against Qwest or $100 million against Bristol-Myers Squibb or $100 million against Alliance Capital, what we're really targeting are the hearts and minds of senior executives. We want them to know that there are serious, real-world consequences to them if their institutions fail to adhere to the law - even if they aren't themselves scofflaws.

Of course, the flip side of this approach is that we have to reward companies that, notwithstanding a violation of the law, can demonstrate that they had or have made significant efforts to achieve a culture of compliance. So, if you look at the Commission's 21(a) report in the Seaboard matter, you'll see that the Commission seeks to recognize, in its charging and sanctioning decisions (and in its decisions not to charge and not to sanction), efforts by companies to police themselves, report problems to the government and establish a solid culture of compliance.

And by the way, we're not alone in our concern with these matters. The Department of Justice (in the Thompson memo), and the U.S. Sentencing Commission (in the sentencing guidelines) have emphasized the need for companies to have strong ethics and antifraud programs. So has Congress - in the form of statutory requirements that CEOs and CFOs certify financials and put in place effective disclosure and internal controls. That's why I want to address a subject that's ordinarily left to business people, business schools, and business psychologists. No, I've never run a public company; and no, I don't profess to be an expert in the area. But I do have some suggestions gleaned from my own experience as a regulator, prosecutor, and even as a manager of a large group of staff. And all of my suggestions boil down to this: You've got to talk the talk; and you've got to walk the walk. Both are critical to maintaining a good tone at the top. Let me flesh that out a bit.

Talking the Talk

First, talking the talk: From an employee's first day on the job to the day he gets his gold watch, he should know that ethics and honesty are important at your company. And how should he know that? Because you've told him so. Every company - it really should go without saying - must have a strong code of ethics and a set of written policies and procedures to enforce and reinforce those standards.

But it's not enough just to put those documents in the company manual that you hand out at orientation or trot out once a year. You have to talk about the company's ethical standards again and again. Those standards have to infuse the day-to-day lives of your employees. What does that mean? Ethics and compliance should be part of your regular education and training efforts - and I mean efforts that go beyond perfunctory lectures about legal requirements, but embrace well-conceived, real-life situations and dialogue. It also means that whenever your CEO is delivering a state-of-the-company address to company employees, or offering remarks at a company event, she should be talking about the company's values as well as its profits. Too many times in our cases, we've seen instances of senior managers demanding "results," and what employees heard was a demand for "results at any cost - including non-compliance with the rules."

What's more, it has to be senior management - not just the legal department, the compliance professionals, or human resource experts - that does the talking. Matters of ethics and culture shouldn't be shunted off to the outer edges (or cost centers) of a corporate organization. In order to convey the importance of integrity and honesty to a corporation's employees, those who run the business, those who are responsible for the bottom line, have to be the ones to tell employees that integrity and honesty matter. For if they don't do it, employees won't believe that those values are core values; they won't believe that integrity and honesty are important to those who really matter; they won't believe that their path to success will require adherence to those values. So when you take your ethics road show to your employees, have your most senior managers play an active role. I know of a very large financial services firm where the CEO is planning to have a series of dinners with all of the company's high-level supervisors all over the world to discuss compliance issues. The object is to instill in employees the notion that these issues are important - or, as Chairman Donaldson has said, to make ethics part of the company's DNA.

And no double talk. You can't say to the broad audience that ethics, integrity and honesty are important, but ignore them (or worse yet, joke about them or dismiss them) when you're in a social setting, or "off line," or off the record, or when you're talking to smaller groups. At Enron, we know that senior managers conducted a skit in which one of the themes was deceiving the SEC. That probably didn't help create a culture of respect for the law. At Hollinger, Conrad Black wrote an email in which he referred to his company's shareholders as "a bunch of self-righteous hypocrites and ingrates." Finally, what no double talk also means is that if something goes wrong, if there is an ethical or legal lapse, be candid about it, acknowledge it, and don't try to minimize it. Instead, tell your employees (and the world at large) that it shouldn't have happened and that it's inconsistent with the kind of company you want to be.

Let me make just two more points about talking the talk: First, in an ideal world, the talk should extend beyond your company's own walls - to those with whom your company does business - vendors, consultants, customers, contractors, etc. Over the past year, a number of our cases have included charges against such third parties: for sending false invoices or audit confirmations, for engaging in fraudulent round-trip transactions and for otherwise facilitating or aiding a public company's fraudulent schemes. Without their complicity, the public companies with which they had dealings may not have been able to violate the law. Clearly, and this is something that Ben Heineman at G.E. preaches, it's important to deliver the message of integrity, honesty and truthfulness to those with whom you do business.

Second, as this audience is well aware, good communication means speaking and listening in equal parts. To know what ethical issues your employees face, to really get a sense of them, you've got to be able to listen to your employees' concerns. This means ensuring that there is a safe, reliable and well-known avenue of communication open to those who have ethical questions or who want to report possible compliance shortcomings. Empower employees to identify possible misconduct - indeed, consider requiring employees to identify it when they're aware of it. As the head of the Commission's examination program, Lori Richards, has said, "be[] ready and able to hear bad news." And make it clear that retaliating against or threatening a whistle-blower will not be tolerated and will be viewed as a "fire"-able offense.

Sarbanes-Oxley requires that a listed issuer's audit committee establish procedures for the confidential submission of concerns regarding questionable accounting or auditing matters. Let me offer an additional suggestion: the appointment of a permanent ombudsman or business practices officer to receive and investigate complaints - a private inspector general, if you will. That person might report to the audit committee to ensure his independence, and also to ensure that company's board is fully aware of emerging ethical or legal issues reported by company employees.

As part of its settlement with Qwest, the Commission required the company to permanently maintain such a position. And while I don't mean to equate Qwest's situation with that of other companies, I do think the position makes sense, both practically, as a way to catch and resolve problems before they metastasize, and symbolically, as an institutional commitment to the importance of ethics, integrity, and legal compliance.

Walking the Walk

That brings me to walking the walk. All the words in the world mean nothing without deeds to support them. You have to pay more than lip service to values. You have to live them. The last few years have provided any number of examples of companies that failed to practice what they appeared to preach. Enron had the corporate slogan of "Respect, Integrity, Community, Excellence." To the employees and shareholders who lost their pensions or their life savings in the fraud, the words of that slogan ring rather hollow. In October 2003, at a conference of corporate directors, then Chairman and CEO of Computer Associates Sanjay Kumar bragged about his company's state-of-the-art corporate governance and business ethics practices. At the same time, according to the cases filed against him, Mr. Kumar was engaged in a large-scale fraud. As former IBM CEO Lou Gerstner has said, "you can't simply give a couple of speeches or write a new credo for the company and declare that a new culture has taken hold. You can't mandate it, can't engineer it. What you can do is create the conditions for transformation. You can provide incentives."

So here is my own, underinclusive, idiosyncratic list of ways in which a company can do just that:

First, and I guess this is rather obvious: managers themselves have to comply with the letter and the spirit of the rules. Employees watch what their managers do as well as say - they scrutinize their every move and follow their lead. If employees see managers bend the rules, they'll bend the rules.

That applies to the smallest of rules. If all employees are required to attend the company's ethics training program, then senior management should be attending the training too. They can't just say, "well, that's for the others, I don't need to do that."

Second, make character a part of the firm's set of key hiring criteria. Or, to borrow a phrase from Jim Carville: "It's the people, stupid." If you can attract and retain people of good moral character, you've won half the battle. As one company executive recently put it to me, "It's the reverse of the 'meatball magnetism' theory. Meatballs might be attracted to one another, but so are honest people. Hire a bunch and you're likely to get more." Think about this in a serious way when you hire entry-level employees - go beyond the background check designed to determine whether the prospective employee has a criminal record or was kicked out of school or fired from the last job.

Third, and this really follows from the last point: make integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that "doing the right thing" is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they'll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he'll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.

Fourth, make it clear that you won't tolerate compliance risks - even if that means losing a lucrative piece of business or a client or a transaction. Convey, with your actions, that your company's long-term reputation and success are more important than short-term profitability. When he was the general counsel of PaineWebber, Ted Levine said, "good compliance is good business." After all, as we have too frequently seen, the financial costs of non-compliance can be terribly high. In the case of Enron, and in the case of Arthur Anderson, the consequences were catastrophic.

Fifth, when someone does commit an ethical violation, a company should move to fix the problem and remedy the harm as quickly as possible. It also has to take appropriate action against the offending employee - swiftly and firmly. It speaks volumes when a company fires or suspends a rainmaker or other important employee for an ethical breach; and just as importantly, it speaks volumes when a company doesn't. And as much as possible (and consistent with privacy concerns), the punishment and the reason for it should be clear to the company's other employees. Not too long ago, a company came in to tell us about some rule violations by a handful of employees. After applauding the company's decision to self-report, we asked whether the company had experienced any similar problems in the past. The company said that it had, but was quick to add that they had disciplined those employees. The problem, though, was that those disciplinary measures had been taken so quietly that the company had failed to convey to its other employees in a clear and forceful way that such conduct was unacceptable. Perhaps as a result, the company found itself having to deal with the same rule violations by a different set of employees. Setting the right tone means letting employees know that no one at the company is above the law; that no matter how important or how senior, someone who has violated an ethical standard will be punished.

Sixth, hold all of your managers accountable for setting the right tone. That means disciplining or even firing them when they have failed to create a culture of compliance. Human nature being what it is, there will be those who break the rules. But if managers don't do enough to prevent those violations, or let them go unaddressed for too long, then they should be held responsible - even in the absence of direct involvement in those violations.

Seventh, monitor, follow up and re-assess.

Cultivating a culture of compliance requires a sustainable effort. A one-time push is not enough. Employees will see such an effort for what it is and won't believe it represents a true commitment to an ethical culture. You have to make sure, on a regular basis, that your code of conduct and your policies and procedures are being followed. That means giving your internal audit and compliance functions the resources and tools they need to do their jobs. Examine data from complaint lines and your ombudsman to determine whether your company is living up to its values. And don't get complacent. It's easy to fall victim to the phenomenon of "creeping" non-compliance. Business practices can change incrementally so that - in the same way you might not notice someone growing old if you see that person every day - it might be hard to appreciate how far a business practice has changed since its inception. Try to look at business practices anew on a periodic basis; don't just assume that if a practice passed muster years ago, it's still okay. And by the same token, look at your compliance regime periodically to make sure that it still works for your business.

As Richard Breeden wrote from his perch as WorldCom's Corporate Moniter: "[I]n several areas, WorldCom exceeded the accepted norms of 'best practice' in corporate governance, even though there was little if anything about its governance that was 'good' in reality. This illustrates the fact that good governance is not achieved by simply adhering to 'checklists' of recommended 'best practices.'" In short, you need to think through these matters in light of your own company's unique issues and history and develop your own approach to doing the right thing and making the commitment to doing the right thing, part of your company's DNA. Use checklists at the end of the process to make sure you haven't missed anything. They shouldn't be the starting point.

Conclusion

I began my remarks by taking note of the actions the Commission has taken against a host of well-known companies and individuals. Those cases paint a generally grim picture of the recent state of American business culture.

I'd like to end my remarks, though, on a slightly more positive note. While I know our enforcement pipeline remains quite full, I do have the sense - albeit a somewhat guarded sense - that the lessons of Enron and WorldCom and the other cases we've brought in the last few years have begun to take hold. But we can't afford to be complacent. Once the recent scandals recede from our collective memories, it's corporate culture that will serve as the bulwark against the eruption of a new scandal. At another time and in another context, abolitionist Wendell Phillips said: "Eternal vigilance is the price of liberty . . . ." Eternal vigilance is sound advice in this time and in this context. By soundly endorsing the values of honesty and integrity, by rewarding employees who adhere to those values, and by providing avenues for employees to report ethical lapses, you can cultivate a healthy, thriving ethical climate in your companies. By setting a tone of integrity at the top, you can create a climate for long-term success, a climate in which everyone gets it right.